Study Shows Many iPhone Apps Defy Apple’s Privacy Advice

Why It Matters

Little is known about how mobile apps use the potentially sensitive data they have access to.

You decide: Researchers developed an app that can detect and selectively block which personal data iPhone apps can access.

In 2011, Apple advised that iPhone and iPad apps should stop logging the unique identifiers of users’ devices, a practice that can be exploited to build up profiles for ad-targeting purposes. But a new study by researchers at the University of California, San Diego, suggests that many apps still do so.

At the MobiSys conference in Taiwan this week, the researchers will present data gathered from 225,000 apps installed on 90,000 ordinary iPhones. Their analysis shows that between February 2012 and December 2012, 48 percent of those apps accessed the unique device ID, or UDID, of the phone they were installed on. The full paper is available online (PDF).

Apple’s mobile operating system, iOS, does not usually allow apps to monitor each other, so the information was gathered from users of “jailbroken” iPhones, on which Apple’s usual controls have been disabled to allow modification of the device and installation of apps not offered through Apple’s App Store. The researchers say their results are relevant to all iPhone users, because a large majority of apps used on jailbroken devices are the same as those used on unmodified phones.

The app that collected the data is called ProtectMyPrivacy. Once installed, it detects which data the other apps on a phone try to access. If an app tries to access potentially sensitive data, ProtectMyPrivacy notifies the phone’s owner, who can choose to selectively block that access. Users can choose to prevent, for example, a particular app from accessing their contacts, location, or UDID; they can also apply automatic recommendations concerning what to block or allow for particular apps. The new study is based on data collected from users who opted to share anonymized information from ProtectMyPrivacy.

Since May 1, Apple’s official policy has been to reject apps that access a device’s UDID, but it is unknown how strictly that rule is applied. Yuvraj Agarwal, who led the UCSD study with colleague Malcolm Hall, says he found that around 40 percent of apps on phones with ProtectMyPrivacy installed still try to access a device’s UDID. Some of those apps have been updated since May 1, he says, meaning a new version was uploaded to Apple’s iTunes store. This suggests either that Apple is not catching all apps that access UDID or that it’s letting some pass even though they’re known to do so.

Agarwal calls the picture he and Hall uncovered “staggering.” Apps can still access the UDID because, to avoid breaking old apps, the company didn’t block access to it in the latest version of its mobile software, iOS6. “I think a lot of the apps are still [recording the UDID] just because the [application programming interface] is available,” says Agarwal.

Jeremy Linden, security product manager at the mobile security company Lookout, says that even if app makers heed Apple’s guidelines about UDIDs, they have other ways to track their users. For example, recording the unique code assigned to a device’s Wi-Fi chip, called a MAC address, “could be used to track a device across different ad networks and analytics services,” he says. And there would be “no way to opt out.”

UDID access will disappear on devices that upgrade to Apple’s new iOS7 software, which will be released late this year. Linden says that Apple also appears to be taking other measures in iOS7 to curb apps from tracking users’ actions. “From my understanding, they are eliminating all access to unique device identifiers,” he says. “This is great for user privacy and sets an example for the industry.”

Apple has also created a dedicated identifier for apps that want to track users. IDFA (for “identifier for advertising”) is intended to offer better privacy controls. Users can reset their IDFA anytime for security or privacy reasons, and it also connects to a “Limit Ad Tracking” feature in iOS.

One issue that will remain, however, is that the company’s relatively closed software ecosystem makes it difficult for independent researchers such as Agarwal to scrutinize just what apps are doing on Apple devices. Most academics interested in mobile security and privacy work on Google’s Android operating system instead; Google’s software is easier to tinker with, and software that is not offered through Google’s software store can still be installed on an Android phone. It is also easier for research apps to get into the Google mobile app store.

Agarwal says he submitted an app to the official Apple store that would let people look up the data ProtectMyPrivacy had collected about apps they were using, but it was rejected. When an Apple employee called to discuss the matter, Agarwal says, he asked what needed to change for the app to be accepted, but he was told, “We have a problem with the concept of the app.”

Apple did not respond to a request for comment on the UCSD study by time of publication.